This Data Processing Addendum (“DPA”) supplements, and forms part of, the User Terms or the Subscription Agreement (the “Agreement”) between the applicable 1080Agile contracting entity (“1080TMS”) and the entity or person(s) identified as Customer in the relevant account or Agreement (as applicable) (“Customer”).

This DPA applies where and to the extent that 1080TMS is acting as a processor and/or controller of personal data on behalf of Customer under the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict. In the event of any conflict between the SCCs (defined in Section 1 below) and the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

Definitions and Interpretation

1.1 Definitions. In this DPA, the following terms shall have the following meanings:

“Applicable Data Protection Laws” means all applicable laws related to the processing of Personal Data under this DPA, including the European Data Protection Laws, the US Data Protection Laws, Australia’s Privacy Act 1988 and New Zealand’s Privacy Act 2020.

“Controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given to them in the European Data Protection Laws.

“Customer Personal Data” means any personal data provided by, or on behalf of, Customer to 1080TMS in connection with the Services.

“Europe” means, for the purposes of this DPA, the Member States of the European Economic Area, the United Kingdom (the “UK”) and Switzerland.

“European Data Protection Laws” means: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the ”EU GDPR”); (b) the UK’s Data Protection Act 2018 and the EU GDPR as incorporated into United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (c) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (d) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), in each case as updated, amended, replaced or superseded from time to time.

“Personal Data Breach” means any act or omission that compromises either the security, confidentiality or integrity of Customer Personal Data transmitted, stored or otherwise processed by 1080TMS that is likely to create a risk to the privacy rights or harm to any individual. Without limiting the foregoing, a material compromise shall include unauthorized access to or disclosure or acquisition of Personal Information.

“Restricted Transfer” means a transfer of personal data that is subject to European Data Protection Laws to a country outside Europe that is not subject to an adequacy decision by the European Commission, or the competent authorities in the UK or Switzerland (as applicable).

“SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR.

“Sensitive Personal Data” means any Customer Personal Data: (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (b) that is genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation; (c) relating to criminal convictions and offences; and (d) that falls within the definition of “sensitive personal information”, or similar term, as defined in the Applicable Data Protection Laws.

“Sub-processor” means any processor engaged by 1080TMS to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement where such entity processes Customer Personal Data. Sub-processors may include 1080TMS’s affiliates or other third parties.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) issued by the Information Commissioner’s Office under S119(A)(1) of the UK’s Data Protection Act 2018, as amended, superseded or replaced from time to time.

“US Data Protection Laws” means all data protection or privacy laws and regulations applicable to Customer Personal Data in force within the United States, including the California Consumer Privacy Act (as amended from time to time) (the “CCPA”), and any rules or regulations implementing the foregoing.

1.2 Interpretation. Capitalised terms used but not defined in this DPA shall have the meanings given to them in the Agreement.

Processing of Personal Data

2.1 Relationship of the parties.

(a) 1080TMS as a processor. The parties acknowledge that, except as set out in Section 2.1(b), Customer shall act as a controller and 1080TMS shall act as a processor in respect of its processing of Customer Personal Data disclosed to 1080TMS for the purpose of 1080TMS providing the Services.

(b) 1080TMS as a controller. The parties acknowledge that Customer acts as a controller and 1080TMS may also act as a controller in respect of its processing of Customer Personal Data to: (i) comply with its own obligations under applicable law and regulations and to establish, exercise or defend legal claims; (ii) contact Authorised Users in relation to the Services and/or any Third Party Products and Services; (iii) provide any services directly to Authorised Users, other than the Services provided to Customer; (iv) facilitate the provision of Third Party Products and Services to Authorised Users; (v) conduct research and development and improve the Services in a way that is not specific to Customer; (vi) communicate directly with Authorised Users, other than for the purpose of providing the Services to Customer; (vii) protect the safety and security of the Services in a way that is not specific to Customer, including detecting and responding to Personal Data Breaches or malicious and unlawful activity; (viii) generate de-identified statistical data to uncover collective insights about the use of the Services (and not to specifically analyse personal characteristics); and/or (ix) process such Customer Personal Data in any other context which requires 1080TMS to determine the purposes and means of such processing.

2.2 Prohibited Data. Customer will not disclose (and will not permit any Authorised User to disclose) any Sensitive Personal Data (including “Protected Health Information” as defined by the United States Health Insurance Portability and Accountability Act) to 1080TMS for processing. Notwithstanding the foregoing, Customer may disclose (and may permit its Authorised Users to disclose): (a) biometric data to 1080TMS for processing for the sole purpose of 1080TMS’s optional “Face Unlock” Kiosk feature; and (b) social security numbers, passport details, driver’s licence details and/or citizenship and immigration status to 1080TMS for processing for the sole purpose of 1080TMS’s “1080TMS HR” product.

2.3 Purpose Limitation. 1080TMS shall process Customer Personal Data as necessary to perform its obligations under the Agreement and strictly in accordance with the documented lawful instructions of Customer (including the terms of the Agreement), or as otherwise agreed in writing by the parties (the “Permitted Purpose”). 1080TMS shall not use, disclose or otherwise process the Customer Personal Data for any other purpose other than the Permitted Purpose, except where otherwise required by any law applicable to 1080TMS. 1080TMS shall notify Customer, without undue delay, if it becomes aware that Customer’s processing instructions infringe Applicable Data Protection Laws

2.4 Security. 1080TMS shall implement appropriate technical and organisational measures to protect Customer Personal Data against a Personal Data Breach and to preserve the security and confidentiality of Customer Personal Data, in accordance with 1080TMS’s security standards described at 1080agile.com/security (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that 1080TMS may update or modify the Security Measures from time to time.

2.5 Personal Data Breach. Upon becoming aware of a Personal Data Breach, 1080TMS shall notify Customer without undue delay by written notice with all relevant details reasonably available of the Personal Data Breach to allow Customer to fulfil its data breach reporting obligations under Applicable Data Protection Laws. 1080TMS shall take further reasonable steps to contain, investigate and mitigate the effects of the Personal Data Breach. 1080TMS’s notification of or response to a Personal Data Breach in accordance with this Section 2.5 will not be construed as an acknowledgement by 1080TMS of any fault or liability with respect to the Personal Data Breach.

2.6 Confidentiality. 1080TMS shall take reasonable steps to ensure that it has appropriate policies and procedures in place in relation to any person that it authorises to process Customer Personal Data (including 1080TMS’s employees, agents and Sub-processors) and to ensure that such persons are subject to a duty of confidentiality.

2.7 Deletion or return of Customer Personal Data. Upon written request from Customer, 1080TMS shall anonymise, delete or return to Customer all Customer Personal Data in its possession or control subject to any requirement on 1080TMS to retain some or all of the Customer Personal Data to comply with applicable laws, in which event 1080TMS shall isolate and protect the Customer Personal Data from further processing except to the extent required by such law until deletion is possible. Customer acknowledges that there may also be circumstances in which one or more of its Authorised Users are Authorised Users of one or more other customers and in such circumstances, 1080TMS will continue to process the applicable Customer Personal Data related to such Authorised User(s) until a written request from such Authorised User(s) is received by 1080TMS in accordance with this Section 2.7.

2.8 Cooperation and data subjects’ rights. 1080TMS shall provide reasonable assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that 1080TMS processes on Customer’s behalf. In the event that any request, correspondence, enquiry or complaint is made directly to 1080TMS, 1080TMS shall promptly notify Customer and provide it with a copy of the request, unless legally prohibited from doing so.

2.9 Data Protection Impact Assessment. 1080TMS shall provide reasonable assistance to Customer (at Customer’s expense) with undertaking an assessment of the impact of processing Customer Personal Data, and with any consultations with a data protection authority, if and to the extent an assessment or consultation is required to be carried out under the Applicable Data Protection Laws.

2.10 Sub-processors. Customer agrees that 1080TMS may engage Sub-processors to process Customer Personal Data for the Permitted Purpose. The Sub-processors currently engaged by 1080TMS and authorised by Customer are listed at https://1080agile.com/1080tms/legal-documents/sub-processors/. 1080TMS shall ensure that: (a) there is a written agreement in place with each Sub-processor that imposes terms and conditions that require the relevant Sub-processor to protect Customer Personal Data to the standard required by the Applicable Data Protection Laws; and (b) it remains responsible to Customer for the performance of such Sub-processors data protection obligations under such terms and conditions. 1080TMS shall notify Customer if it adds any new Sub-processors at least 20 days before the proposed addition, in order to allow Customer to raise any reasonable objections on grounds of data protection. If Customer rejects the appointment of any new Subprocessor and 1080TMS is unable to perform its Services without this new Subprocessor, Customer shall have the right to terminate the Agreement.

2.11 Restricted Transfers. The parties agree that when the transfer of Customer Personal Data from Customer (as “data exporter”) to 1080TMS (as “data importer”) is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards be put in place, it shall be subject to the SCCs, which shall be deemed incorporated into and form part of this DPA, as follows:

(a) in relation to transfers of Customer Personal Data protected by the EU GDPR and processed in accordance with Section 2.1(a) of this DPA, the SCCs shall apply and be completed as follows:

(i) Module Two will apply;

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes is as set out in Section 2.11 of this DPA;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;

(vi) in Clause 18(b), disputes will be resolved before the courts of Ireland; and

(vii) the Annexes of the SCCs shall be populated with the information set out in the corresponding Annexes to this DPA;

(b) in relation to transfers of Customer Personal Data protected by the EU GDPR and processed in accordance with Section 2.1(b) of this DPA, the SCCs shall apply and be completed as follows:

(i) Module One will apply;

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;

(v) in Clause 18(b), disputes will be resolved before the courts of Ireland; and

(vi) the Annexes of the SCCs shall be populated with the information set out in the corresponding Annexes to this DPA;

(c) in relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs will apply as completed in accordance with Sections 2.12(a) and (b) of this DPA and are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming a part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed with the relevant information set out in Sections 2.12(a) and (b) of this DPA, as well as the Annexes to this DPA and Table 4 in Part 1 of the UK Addendum is deemed completed by selecting “neither party”. Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum; and

(d) in relation to transfers of Customer Personal Data protected by the Swiss DPA, the SCCs will apply in accordance with Sections 2.12(a) and (b) of this DPA, with the following amendments:

(i) any references to “Directive 95/46/EC” or “Regulation (EU) 2016/670” will be replaced with references to the Swiss DPA, and references to specific

Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent

Article(s) or Section(s) of the Swiss DPA;

(ii) any references to “EU”, “Union”, “Member State” and “Member State Law” will be replaced with references to Switzerland and Swiss Law, as applicable;

(iii) Clause 13 and Part C of Annex 1 will be amended to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of

Switzerland will have authority over data transfers governed by the Swiss DPA;

(iv) references to the “competent supervisory authority” and “competent courts” will be replaced with references to the FDPIC and competent courts in Switzerland;

(v) Clause 17 is amended to provide that the SCCs will be governed by the laws of Switzerland; and

(vi) Clause 18(b) is amended to provide that disputes will be resolved before the applicable courts of Switzerland.

2.12 General Customer obligations. Without limiting Customer’s other obligations under the Agreement, Customer shall: (a) comply at all times with the Applicable Data Protection Laws in its processing of Customer Personal Data, including (but not limited to) when Customer discloses Customer Personal Data to 1080TMS under the Agreement, and provide 1080TMS with such cooperation, assistance and information as 1080TMS may reasonably request to comply with its obligations under the Applicable Data Protection Laws; (b) ensure that any instructions it issues to 1080TMS comply with the Applicable Data Protection Laws; (c) ensure that it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws to process Customer Personal Data (including but not limited to any Sensitive Personal Data) and to enable 1080TMS to provide the Services pursuant to the Agreement (including this DPA); (d) ensure that any Customer Personal Data provided to 1080TMS is limited to only what is necessary in order for 1080TMS to provide the Services and such Customer Personal Data is accurate and up-to-date to the best of Customer’s knowledge at the time that it is provided to 1080TMS; (e) use all reasonable endeavours to promptly notify 1080TMS upon becoming aware that Customer Personal Data has become inaccurate or out of date; and (f) not do or permit to be done anything within its knowledge or control which may cause or otherwise result in 1080TMS being in breach of the Applicable Data Protection Laws.

2.13 Exclusions and limitations of liability. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.

ANNEX 1

DESCRIPTION OF THE PROCESSING ACTIVITIES / TRANSFER

ANNEX 1A: LIST OF PARTIES

Data exporter
Name: Customer (as identified in the Agreement).
Address: Customer’s address (as identified in the Agreement).
Contact Person’s name, position and contact details: Customer Contact Name and corresponding details (as identified in the Agreement).
Activities relevant to the transfer: Refer to Annex 1B below.
Role: Controller.

Data importer
Name: The 1080TMS contracting entity (as identified in the Agreement).
Address: The 1080TMS contracting entity’s address (as identified in the Agreement).
Contact Ms Rose Aguilar –  admin@1080agile.com.
Activities relevant to the transfer: Refer to Annex 1B below.
Role: Processor and/or controller.

ANNEX 1B: DESCRIPTION OF PROCESSING / TRANSFER

Categories of data subjects

Authorised Users

Customers

Categories of personal data

Personal details, including any information that identifies the data subject and their personal characteristics, including: name, email address, residential address, phone number, date of birth, gender (including gender neutrality), photo and citizenship and immigration status;

Personal details issued as an identifier by a public authority, including passport details, social security numbers, national insurance numbers, identity card numbers, and driving licence details;

Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, and professional expertise;

Employment details, including information relating to the employment of the data subject, remuneration, position or job function, term of employment, shift and attendance records, health and safety records, performance appraisals, training records, and security records;

Job application information, including resumes, eligibility to work, previous employment details and job application videos;

Financial details, including information relating to the financial affairs of the data subject, including bank account, tax and superannuation/pension information;

Device data, including connection type and settings, operating system, browser type, IP address, time zone settings, the time spent on webpages, unique device identifiers, cookies, online tracking data, geolocation data and other diagnostic data;

Content created by Customer or data subjects and submitted to the 1080TMS platform; and

Data subjects’ preferences with respect to receiving marketing communications from 1080TMS.

Special categories of personal data

Biometric information.

Other special categories of personal data may be processed by 1080TMS, from time to time, in circumstances where Customer or its Authorised Users choose to disclose special categories of personal data using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to disclosing, or prior to permitting its Authorised Users to disclose, any other special categories of personal data using the Services.

Frequency of the transfer

Continuous.

Nature and purpose of the processing

The nature and purpose of processing personal data is to enable the functionality of the 1080TMS platform as set out in the Agreement and related documentation.

Duration of the processing

Processing of the personal data will continue for the duration of the Agreement. ANNEX 1C: COMPETENT SUPERVISORY AUTHORITY

The data exporter’s competent supervisory authority will be determined in accordance with the EU GDPR or UK GDPR (as applicable).

ANNEX 2

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

1080TMS implements a variety of technical and organisational security measures, the details of which are set out at 1080agile.com/security.

ANNEX 3

LIST OF SUB-PROCESSORS

A list of 1080TMS’s current Sub-processors is set out at https://1080agile.com/1080tms/legal-documents/sub-processors/.